First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

vlan tag missing in packets captured using custom socket but visible in wireshark

  • retag add tags

I am using

Code:

read_socket = socket( PF_PACKET, SOCK_RAW, htons(ETH_P_ALL) );

and for writing as well

Code:

write_socket = socket( PF_PACKET, SOCK_RAW, htons(ETH_P_ALL) );

while writing packet, I am writing entire packet ( i.e., ethernet header, ip header, udp header, application data and finally ethernet checksum )

but while capturing on other side using read_socket I am seeing, if it is just ethernet packet, entire packet is visible. But however, if I am sending packet with vlan tag, read_socket is capturing entire packet excluding vlan tag. As it is vlan 1ad packet, the four bytes in ethernet header are missing.

But entire packet is visible in wireshark capture. Tried identifying the socket used by wireshark, but not able to succeed. I downloaded the wireshark source code, kept logs where ever socket function call is there, compiled and used that executable to capture the packets without installing. Because I already have the one installed using "sudo apt", probably installed libraries are being used even though I am running the locally compiled executable.

To my surprise, if I open the read socket after started sending the vlan packets, I am seeing the entire packet is getting captured(i.e., including vlan tag). But If I open the read / write sockets, then start sending the packets, I am seeing vlan tag is missing....!!!

But I can't afford opening read socket after started sending packets, as I will be loosing some packets. Can someone help me in always capturing the entire packet including vlan tag

Note: Both the network cards are existing in same machine and are connected B2B. Project requirement is to send / receive packets via Tx/Rx queues.

chakka.lokesh's avatar
1
chakka.lokesh
asked 2020-03-20 08:19:53 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Seems to me to be off-topic as it's a programming question, not a Wireshark one.

One thing to be aware of is that as both NIC's are on the same machine the OS might take a short circuit and not generate the Ethernet\VLAN part of the packet as it never leaves the machine.

grahamb's avatar grahamb (2020-03-20 09:24:35 +0000) edit
more
  • delete
add a comment see more comments

3 Answers

1

Cliffs Notes version:

The Linux networking stack pulls VLAN tags out of the body of a packet and puts it into metadata in the "socket buffer" structure for the packet. If you're reading from a PF_PACKET/SOCK_RAW socket - whether using a socket system call or a memory-mapped buffer - the data you read will have the VLAN tags stripped out, so, to reconstruct the packet as it appeared on the wire, you'll need to get the VLAN tag information from the metadata and reconstruct it.

Libpcap will do that for you. If you really want to do the capturing yourself, see how libpcap does it. If you want to do it on non-memory-mapped sockets, you'll have to look at the libpcap 1.9 code; the master branch only uses memory-mapped sockets.

Guy Harris's avatar
19.9k
Guy Harris
answered 2020-03-31 19:53:11 +0000, updated 2020-04-01 05:15:51 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

Solved. Thanks for the support.

https://www.linuxquestions.org/questi...

chakka.lokesh's avatar
1
chakka.lokesh
answered 2020-03-30 07:04:57 +0000, updated 2020-03-31 06:22:39 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Can you put the Cliff Notes version of the solution here? I read through the link above and see that it was solved but not how.

Chuckc's avatar Chuckc (2020-03-30 13:22:17 +0000) edit
more
  • delete

please refer the attachment in that link. It is executable code.

chakka.lokesh's avatar chakka.lokesh (2020-03-31 06:23:39 +0000) edit
more
  • delete
add a comment see more comments
0

Unfortunately the VLAN information is passed through as auxiliary data to the socket. Libpcap, the library that's actually interfacing with the network on behalve of Wireshark, does a lot of work to re-insert the VLAN data into the frame. See the pcap-linux.c file and search for 'vlan'.

Jaap's avatar
13.7k
Jaap
answered 2020-03-20 10:06:48 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Could changing the rx-vlan-offload, tx-vlan-offload settings possibly help here using ethtool's rxvlan, txvlan options? There's no mention of this on the CaptureSetup/VLAN wiki page, so I suspect not, or perhaps it would help, but only for certain NICs/drivers?

cmaynard's avatar cmaynard (2020-03-20 14:50:14 +0000) edit
more
  • delete

Dear Jaap,

Thanks for the valuable information.

Here is the read socket 

int create_read_sock( char const * const card_name )
{
    const int sock = socket( PF_PACKET, SOCK_RAW, htons(ETH_P_ALL) );//Lokesh experiment with zero instead of ETH_P_ALL
    if( sock == -1 )
    {
        perror( "read socket" );
        exit(EXIT_FAILURE);
    }
struct ifreq ifr;
strncpy( ifr.ifr_name, card_name, IFNAMSIZ );
if( ioctl( sock, SIOCGIFFLAGS, &ifr ) == -1 )
{
    perror( "SIOCGIFFLAGS" );
    exit(EXIT_FAILURE);
}
ifr.ifr_flags |= ( IFF_PROMISC | IFF_UP );
if( ioctl( sock, SIOCSIFFLAGS, &ifr ) == -1 )
{
    perror( "SIOCSIFFLAGS" );
    exit(EXIT_FAILURE);
}

struct sockaddr_ll my_addr =
{
    .sll_family = PF_PACKET,
    .sll_protocol = htons(ETH_P_ALL),
    .sll_ifindex = if_nametoindex(card_name)
};
if( bind( sock, (struct sockaddr *)&my_addr, sizeof(my_addr) ) == -1 )
{
    perror( "bind read socket" );
    exit(EXIT_FAILURE);
}
int one = 1;
if( setsockopt( sock, SOL_PACKET, PACKET_AUXDATA, &one, sizeof(one)) < 0 )
{
    perror( "read socket PACKET_AUXDATA" );
    exit(EXIT_FAILURE);
}
return sock;
}

While reading the packet I am following like this:

struct tpacket_auxdata auxdata;
temp_bytes = read( read_socket, read_array, pkt_size );

        if( auxdata.tp_status & TP_STATUS_VLAN_TPID_VALID )
        {//vlan 802.1ad
            memmove( read_array+(2*ETH_ALEN), read_array ...
(more)
chakka.lokesh's avatar chakka.lokesh (2020-03-24 12:32:17 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer